CCIEÊÔÑ鱸¿¼Ö®½»»»security(5)
2007-04-03 09:16:10
°æȨÉùÃ÷£ºÔ´´×÷Æ·£¬ÈçÐèתÔØ£¬ÇëÓë×÷ÕßÁªÏµ¡£·ñÔò½«×·¾¿·¨ÂÉÔðÈΡ£ |
µÚÎ岿·Ö IPÔ´±£»¤£¨IP Source Guard£©
IPSGÌṩ¼ì²â»úÖÆÀ´È·±£µ¥¸ö½Ó¿ÚËù½ÓÊÕµ½µÄÊý¾Ý°üÄܹ»±»¸÷¸ö½Ó¿ÚËù½ÓÊÕ¡£Èç¹û¼ì²é³É¹¦Í¨¹ý£¬ÄÇô¾Í½«Ðí¿ÉÊý¾Ý°ü£»·ñÔò¾Í»á·¢ÉúÎ¥±³²ßÂԵĻ¡£IPSG²»½öÄܹ»È·±£µÚ2²ãÍøÂçÖÐÖÕ¶ËÉ豸µÄIPµØÖ·²»»á±»½Ù³Ö£¬¶øÇÒ»¹ÄÜÈ·±£·ÇÊÚȨÉ豸²»ÄÜͨ¹ý×Ô¼ºÖ¸¶¨IPµØÖ·µÄ·½Ê½À´·ÃÎÊÍøÂç»òµ¼ÖÂÍøÂç±ÀÀ£¼°Ì±»¾¡£ ÔÚDHCP¼àÌý°ó¶¨±í»ò¾²Ì¬IPÔ´°ó¶¨µÄ°ïÖúÏ£¬IPSGÄܹ»»ñµÃÓÐЧµÄÔ´¶Ë¿ÚÐÅÏ¢¡£ÔÚ²»ÐÅÈζ˿ÚÉÏÆôÓÃdhcp snoopingºÍipÔ´±£»¤Ö®ºó£¬½»»»»ú½«×èÖ¹³ýÁËdhcpÊý¾Ý°üÖ®ÍâµÄËùÓÐÁ÷Á¿¡£Ò»µ©DHCP·þÎñÆ÷·ÖÅäÁËIPµØÖ·£¬ÄÇô¾Í¸üÐÂdhcp°ó¶¨±í¡£IPSGÈ»ºó»á×Ô¶¯ÔÚ½Ó¿Ú¼ÓÔØ»ùÓڶ˿ڵÄvlan·Ã¿Ø£¨PACL£©¡£ÕâÑù½«¿Í»§¶ËÁ÷Á¿ÏÞ¶¨µ½°ó¶¨±íÖÐËùÅäÖõÄÔ´IPµØÖ·¡£¶ÔÓÚÀ´×ÔÔ´IP°ó¶¨Ö®ÍâµÄÆäËûÔ´IPµØÖ·µÄÖ÷»ú¶Ë¿ÚµÄÁ÷Á¿£¬½«»á±»¹ýÂË¡£ IPÔ´±£»¤Ö»Ö§³ÖµÚ2²ã¶Ë¿Ú£¬ÆäÖаüÀ¨½éÈëaccessºÍ¸ÉµÀtrunk½Ó¿Ú¡£¶ÔÓÚ²»ÐÅÈζ˿ڣ¨µÚ2²ã£©£¬´æÔÚÒÔÏÂÁ½ÖÖ¼¶±ðµÄIPÁ÷Á¿°²È«¹ýÂË£º * Ô´IPµØÖ·¹ýÂË£º¸ù¾ÝÔ´IPµØÖ·¶ÔIPÁ÷Á¿½øÐйýÂË£¬Ö»Óе±Ô´IPµØÖ·ÓëIPÔ´°ó¶¨ÌõÄ¿Æ¥Å䣬IPÁ÷Á¿²ÅÔÊÐíͨ¹ý¡£ µ±¶Ë¿Ú´´½¨¡¢Ð޸ġ¢É¾³ýеÄIPÔ´°ó¶¨ÌõÄ¿µÄʱºò£¬IPÔ´µØÖ·¹ýÂËÆ÷½«·¢Éú±ä»¯¡£ÎªÁËÄܹ»·´Ó³IPÔ´°ó¶¨µÄ±ä¸ü£¬¶Ë¿ÚPACL½«±»ÖØÐÂÐ޸IJ¢ÖØÐÂÓ¦Óõ½¶Ë¿ÚÉÏ¡£ ĬÈÏÇé¿öÏ£¬Èç¹û¶Ë¿ÚûÓÐÈκÎIPÔ´°ó¶¨ÅäÖõÄÇé¿öÏÂÆôÓÃÁËipÔ´±£»¤£¬Ä¬ÈϵÄPACL½«¾Ü¾ø¶Ë¿ÚµÄËùÓÐÁ÷Á¿¡£Èç¹ûÄãÈ¡ÏûÁËIPÔ´±£»¤£¬¶Ë¿ÚµÄACLÒ²»á´Ó½Ó¿ÚÉÏÒƳý¡£ * Ô´IPºÍMACµØÖ·¹ýÂË£º¸ù¾ÝÔ´IPµØÖ·ºÍMACµØÖ·¶ÔIPÁ÷Á¿½øÐйýÂË£¬Ö»Óе±Ô´IPµØÖ·ºÍMACµØÖ·ÓëIPÔ´°ó¶¨ÌõÄ¿Æ¥Å䣬IPÁ÷Á¿²ÅÔÊÐíͨ¹ý¡£ µ±ÒÔIPºÍMACµØÖ·×÷Ϊ¹ýÂ˵Äʱºò£¬ÎªÁËÈ·±£DHCPÐÒéÄܹ»Õý³£µÄ¹¤×÷£¬»¹±ØÐëÆôÓÃDHCP¼àÌýÑ¡Ïî82£¬¶ÔÓÚûÓÐÑ¡Ïî82µÄÊý¾Ý£¬½»»»»ú²»ÄÜÈ·¶¨ÓÃÓÚת·¢DHCP·þÎñÆ÷ÏìÓ¦µÄ¿Í»§¶ËÖ÷»ú¶Ë¿Ú¡£Ïà·´µØ£¬DHCP·þÎñÆ÷ÏìÓ¦½«±»¶ªÆú£¬¿Í»§»úÒ²²»ÄÜ»ñµÃipµØÖ· ½»»»»úʹÓö˿ڰ²È«À´¹ýÂËÔ´maCµØÖ·£¬ËùÒԶ˿ÚÉϵĶ˿ڰ²È«µÄÎ¥¹æ´¦Àí½«¹Ø±Õ¡£ ÅäÖùý³Ì£º
×¢Ò⣺ 1£® ÔÚij¸öVLANÉÏÆôÓûùÓÚÔ´IPµØÖ·µÄIPÔ´±£»¤Ö®Ç°£¬±ØÐëÏÈÆôÓÃDHCP¼àÌý¹¦ÄÜ 2£® Èç¹ûÊÇÔÚTRUNK½Ó¿ÚÉ϶ÔÓÚ¶à¸öVLANÆôÓÃIPÔ´±£»¤£¬±ØÐëÔÚËùÓеÄVLANÉÏÆôÓÃDHCP¼àÌý£¬Í¬Ê±ÒªÓ¦ÓûùÓÚÔ´IP¹ýÂ˲ßÂÔÔÚËùÓеÄVLAN 3£® ÆôÓûùÓÚÔ´ipºÍmacµØÖ·µÄIPÔ´±£»¤Ö®Ç°£¬±ØÐëÆôÓÃDHCP¼àÌýºÍ¶Ë¿Ú°²È«£¨Port security£© 4£® ÔÚ˽ÓÐvlanÉÏÆôÓûùÓÚÔ´ipºÍmacµØÖ·µÄIPÔ´±£»¤£¬¶Ë¿Ú°²È«ÊDz»Ö§³ÖµÄ 5£® IPÔ´±£»¤²»Ö§³ÖÒÔ̫ͨµÀ£¨EthenChannel£© 6£® ÔÚÆôÓÃÁË802.xÈÏÖ¤µÄÇé¿öÏ£¬Ò²¿ÉÒÔʹÓÃÕâÖÖÌØÐÔ¡£ ÅäÖ㺠1£© ½øÈëÈ«¾Öģʽ configure terminal 2£© ½øÈë½Ó¿Úģʽ interface ½Ó¿Ú 3£© ÆôÓÃIPÔ´±£»¤ »ùÓÚÔ´IPµØÖ·µÄ ip verify source »ùÓÚÔ´IPºÍMACµØÖ·µÄ ip verify source port-security ×¢Ò⣺dhcp·þÎñÆ÷±ØÐëÖ§³ÖÑ¡Ïî82£¬»òÕß¿Í»§¶ËûÓзÖÅäµ½IPµØÖ·¡£Í¬Ê±MACµØÖ·²»Äܱ»Ñ§Ï°Îª°²È«µØÖ· 5£© ½øÈëÈ«¾Öģʽ£¬Ìí¼Ó¾²Ì¬µÄIPÔ´°ó¶¨ ip source binding macµØÖ· vlan vlanºÅ ipµØÖ· interface ½Ó¿Ú 6£© ÑéÖ¤½á¹û show ip verify source [interface ½Ó¿Ú] show ip source binding [ipµØÖ·] [macµØÖ·] [interface ½Ó¿Ú] [vlan vlanºÅ] [dhcp snooping|static] °¸Àý£º
ÎÒÃǽÓ×ÅÉϲ¿·ÖÊÔÑé¼ÌÐø Switch(config)#interface f0/2 Switch(config-if)#switchport port-security Switch(config-if)#ip verify source port-security Switch(config)#interface f0/3 Switch(config-if)#switchport port-security Switch(config-if)#ip verify source port-security Switch(config-if)#exit Switch(config)#ip source binding 00e0.1e60.7c86 vlan 10 192.168.1.1 interface f0/1 Switch(config)#end Switch#show ip source bind
MacAddress IpAddress Lease(sec) Type VLAN Interface ---------- ----------- ---------- ------------- ---- ---------------- 00:10:7B:3C:01:DA 192.168.1.2 85535 dhcp-snooping 10 fastEthernet0/2 00:E0:1E:60:7C:86 192.168.1.1 infinite static 10 fastEthernet0/1 Total number of bindings: 3 ---------------------------------------------------------------- Switch#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ---------- ----------- --------------- ------------- ---------- Fa0/2 ip-mac active 192.168.1.2 permit-all 10 Fa0/3 ip-mac active deny-all permit-all 10 µÚÁù²¿·Ö ¶¯Ì¬ARP¼ì²â DAI(Dynamic ARP Inspection)¶¯Ì¬ARP¼ì²âÊÇÒ»ÖÖÄܹ»ÑéÖ¤ÍøÂçÖÐARPµØÖ·½âÎöÐÒéÊý¾Ý±¨µÄ°²È«ÌØÐÔ¡£Í¨¹ýDAI£¬ÍøÂç¹ÜÀíÔ±Äܹ»À¹½Ø¡¢¼Ç¼ºÍ¶ªÆú¾ßÓÐÎÞЧMACµØÖ·/IPµØÖ·°ó¶¨µÄARPÊý¾Ý°ü¡£ ÈçÉÏͼ£¬Ö÷»úA¡¢Ö÷»úB¡¢Ö÷»úCÁ¬½Óµ½½»»»»úÖÐÏàͬµÄÍøÂç»òͬһ¸övlanÖС£Ö÷»úAÐèÒªÓëÖ÷»úB½øÐÐͨÐÅ£¬Ö÷»úA¹ã²¥ARPÇëÇóͨ¹ýÖ÷»úBµÄIPµØÖ·£¨IB£©À´»ñµÃÖ÷»úBµÄMACµØÖ·¡£ÒòΪARPÇëÇóÊÇÒԹ㲥µÄÐÎʽ´«ËÍ£¬½»»»»úºÍÖ÷»úBÊÕµ½Ö÷»úA·¢³öµÄARPÇëÇóÖ®ºó£¬»áÔÚ×Ô¼ºµÄARP»º´æÖд´½¨»ò¸üÐÂÖ÷»úAµÄMACµØÖ·£¨MA£©ºÍIPµØÖ·£¨IA£©£¬È»ºóÖ÷»úBÒ»µ¥²¥µÃÐÎʽ·¢ËÍARPÏìÓ¦£¬½»»»»úºÍÖ÷»úAÊÕµ½ARPÏìÓ¦Ö®ºó£¬Ö÷»úA½«¸üÐÂ×Ô¼ºµÄARP»º´æ£¬½«Ö÷»úBµÄIPµØÖ·ºÍMACµØÖ·¶ÔÓ¦¡£ Ö÷»úCÆÆ»µ½»»»»úµÄARP»º´æ£¬Ö÷»úC·¢ËÍαÔìµÄARPÏìÓ¦£¨½«×Ô¼ºµÄMACµØÖ·´úÌæÕæʵÖ÷»úµÄMACµØÖ·£¬±ÈÈçÖ÷»úCÓÃ×Ô¼ºµÄMACµØÖ·£¨MC£©Ìæ´úÖ÷»úB·¢¸øÖ÷»úAµÄMACµØÖ·£¨MB£©£©£¬Ê¹µÃÖ÷»úA£¨»òÖ÷»úB£©µÄIPµØÖ·ºÍÖ÷»úCµÄMACµØÖ·£¨MC£©¶ÔÓ¦£¬Ö÷»úCÒÔÖмäÈ˵ÄÉí·Ý·¢Æð¹¥»÷¡£ÕâÑùÔì³ÉÖ÷»úA²»ÄÜÓµÓÐÖ÷»úBÕæʵµÄMACµØÖ·µÄARPÌõÄ¿£¬Í¬Ñù£¬Ö÷»úBÒ²ÈÏΪÖ÷»úCµÄMACµØÖ·ÊÇÓ³Éäµ½Ö÷»úA IPµØÖ·µÄÕæʵµØÖ·¡£¶ÔÓÚÖ÷»úAºÍÖ÷»úBÖ®¼äµÄͨÐÅ£¬¶¼»á±»·¢ÍùÖ÷»úC£¬Ö÷»úCÄܹ»ÔÚÔĶÁÄÚÈݺó½øÐÐÁ÷Á¿µÄÖض¨Ïò¡£ ¶¯Ì¬ARP¼ì²âÊÇÒ»¸ö°²È«ÌØÐÔ£¬Í¨¹ýDAI£¬ÍøÂç¹ÜÀíÔ±Äܹ»¼ì²â¡¢À¹½Ø¡¢¼Ç¼ºÍ¶ªÆú¾ßÓÐÎÞЧMACµØÖ·/IPµØÖ·°ó¶¨µÄARPÊý¾Ý°ü¡£Äܹ»Ô¤·À¡°ÖмäÈË¡±µÄ¹¥»÷¡£ ¶¯Ì¬ARP¼ì²âÖ»»áת·¢ºÏ·¨µÄARPÇëÇóºÍÏìÓ¦°ü£¬Ëû»á£º * ¼ì²â²»ÐÅÈεĶ˿ÚÉϵÄËùÓÐARPÇëÇóºÍÏìÓ¦°ü * ÔÚ¸üб¾µØµÄARP»º´æºÍת·¢ARPÊý¾Ý°üµ½Ä¿µÄµØ֮ǰ£¬»á¼ì²âÊÇ·ñÊǺϷ¨µÄIPºÍMACµØÖ·¶ÔÓ¦ÄÚÈÝ¡£ * Èç¹ûÈ·ÈÏÊDz»ºÏ·¨µÄÊý¾Ý°ü£¬Ëû»á¶ªÆúÊý¾Ý°ü²¢¼Ç¼Õâ¸öÎ¥¹æµÄÐÐΪ¡£ ¶¯Ì¬ARP¼ì²âÒÀ¾ÝÒ»¸öÐÅÈεÄÊý¾Ý¿â£¨ÈçÊÖ¹¤ÅäÖûòdhcp¼àÌý°ó¶¨±í£©ÖкϷ¨µÄIP¶ÔÓ¦MACµØÖ·µÄÌõÄ¿À´ÅжÏÊý¾Ý°üµÄºÏ·¨ÐÔ¡£Õâ¸öÊý¾Ý¿â¿ÉÒÔÊÖ¹¤Ö¸¶¨ÅäÖûòÕßÔÚvlanÖÐÆôÓÃÁËdhcp¼àÌý¶¯Ì¬Ñ§Ï°½¨Á¢¡£Èç¹ûARPÊý¾Ý°üÊÇÔÚÐÅÈζ˿ÚÉϽÓÊÕµ½µÄ£¬½»»»»ú²»»á×öÈκμì²âÖ±½Óת·¢ARPÊý¾Ý°ü¡£Èç¹ûÊÇ´Ó²»ÐÅÈζ˿ÚÉϽÓÊÕµ½ARPÊý¾Ý°ü£¬½»»»»úÖ»»áת·¢ºÏ·¨µÄÊý¾Ý°ü¡£ ÔÚDHCP·þÎñÆ÷´æÔڵĻ·¾³Ï£¬¿ÉÒÔÔÚÿ¸öVLANÖÐÆôÓÃDHCP¼àÌýºÍip arp inspection vlanÃüÁîÀ´ÆôÓö¯Ì¬ARP¼ì²â¡£Èç¹ûûÓÐDHCP»·¾³£¬Óû§ÐèҪʹÓÃarp ·ÃÎÊÁбíÊÖ¹¤ÅäÖÃIPµØÖ·À´ÆôÓö¯Ì¬ARP¼ì²âºÏ·¨µÄÊý¾Ý°ü¡£ ½Ó¿ÚÐÅÈÎ״̬ºÍÍøÂ簲ȫ
Èç¹ûARPÊý¾Ý°üÊÇÔÚÐÅÈζ˿ÚÉϽÓÊÕµ½µÄ£¬½»»»»ú²»»á×öÈκμì²âÖ±½Óת·¢ARPÊý¾Ý°ü¡£Èç¹ûÊÇ´Ó²»ÐÅÈζ˿ÚÉϽÓÊÕµ½ARPÊý¾Ý°ü£¬½»»»»úÖ»»áת·¢ºÏ·¨µÄÊý¾Ý°ü¡£ ÔÚÒ»¸öµäÐ͵ÄÍøÂçÖУ¬½»»»»úÖÐËùÓÐÁ¬½ÓÖ÷»úµÄ¶Ë¿ÚÅäÖÃΪ²»ÐÅÈζ˿ڣ¬ËùÓн»»»»úÓë½»»»»úÏàÁ¬µÄ¶Ë¿ÚÅäÖÃΪÐÅÈζ˿ڡ£ÈçÏÂͼ£¬½»»»»úAºÍ½»»»»úBÔËÐж¯Ì¬ARP¼ì²â£¬Ö÷»ú1ºÍÖ÷»ú2ÐèÒª´ÓÁ¬½Óµ½½»»»»úAµÄdhcp·þÎñÆ÷À´»ñµÃIPµØÖ·£¬½»»»»ú1½¨Á¢Ö÷»ú1ºÍÖ÷»ú2µÄIPºÍMACµØÖ·µÄ°ó¶¨ÐÅÏ¢£¬½»»»»úB½¨Á¢Ö÷»ú2µÄIPºÍMACµØÖ·µÄ°ó¶¨ÐÅÏ¢¡£Èç¹û½»»»»úAºÍ½»»»»úBÁ¬½ÓµÄ¶Ë¿ÚÉèÖÃΪ²»ÐÅÈζ˿ڣ¬´ÓÖ÷»ú1·¢³öµÄARPÊý¾Ý°üµ½´ï½»»»»úBʱ£¬»á±»½»»»»úB¶ªÆú£¬ÕâÑùÖ÷»ú1ºÍÖ÷»ú2µÄÁªÏµ¾ÍÖжÏÁË¡£ ÅäÖùý³Ì£º
ĬÈÏÅäÖ㺠ÌØÐÔ Ä¬ÈÏÅäÖà ----------------------------------------- ¶¯Ì¬ARP¼ì²â ËùÓÐvlanÖв»ÆôÓà ½Ó¿ÚÐÅÈÎ״̬ ËùÓнӿÚÊDz»ÐÅÈÎ ½øÈëARPÊý¾Ý°üÁ÷Á¿ÏÞÖÆ ²»ÐÅÈζ˿ڣº15 ppsÐÅÈζ˿ڣºÃ»ÓÐÏÞÖÆ Ã»ÓÐdhcp»·¾³ÏµÄarp·Ã¿Ø ûÓж¨Òå ºÏ·¨ºËʵ ûÓкËʵÔÊÐí ÈÕÖ¾»º³å ËùÓоܾøºÍ¶ªÆúarpÊý¾Ý°üµÄÐÐΪ¶¼»á±»¼Ç¼ÈÕÖ¾µÄ»º³å´óСΪ32ϵͳÐÅÏ¢Êý±»ÏÞÖÆΪ5ÃëÖÓÒ»´Î ÿ¸övlanµÄÈÕÖ¾ ËùÓеľܾøºÍ¶ªÆúµÄÐÐΪ¶¼±»¼Ç¼ ÅäÖÃDHCP»·¾³µÄDAI
1£© ÅäÖÃÏàÓ¦µÄDHCP¼àÌýºÍIPÔ´±£»¤ 2£© ½øÈëÈ«¾Öģʽ configure terminal 3£© ÔÚÖ¸¶¨µÄvlanÉÏÆôÓö¯Ì¬ARP¼ì²â ip arp inspection vlan vlan·¶Î§ 4£© ½øÈë½Ó¿Úģʽ interface ½Ó¿Ú 5£© Ö¸¶¨ÐÅÈÎ¶Ë¿Ú ip arp inspection trust 6£© ÑéÖ¤½á¹û show ip arp inspection show ip arp inspection database show ip arp inspection vlan vlanºÅ show ip arp inspection statistes vlan vlanºÅ °¸Àý£º swA#config terminal swA(config)#ip dhcp snooping swA(config)#ip dhcp snooping vlan 10 swA(config)#ip arp inspection vlan 10 swA(config)#interface f0/1 swA(config-if)#ip dhcp snooping trust swA(config-if)#switch access vlan 10 swA(config-if)#interface f0/2 swA(config-if)#switch access vlan 10 swA(config)#interface f0/23 swA(config-if)#ip arp inspection trust -------------------------------------------------- swB#config terminal swB(config)#ip dhcp snooping swB(config)#ip dhcp snooping vlan 10 swB(config)#ip arp inspection vlan 10 swB(config-if)#interface f0/3 swB(config-if)#switch access vlan 10 swB(config)#interface f0/23 swB(config-if)#ip arp inspection trust swB(config-if)#ip dhcp snooping trust ----------------------------------------------------------- Óë½»»»»úA fa0/1ÏàÁ¬µÄ·ÓÉÆ÷°çÑÝdhcp·þÎñÆ÷µÄ½ÇÉ« dhcpserver#conf ter dhcpserver(config)#ip dhcp excluded-address 192.168.1.1 dhcpserver(config)#ip dhcp pool cisco dhcpserver(dhcp-config)#network 192.168.1.0 255.255.255.0 dhcpserver(dhcp-config)#default-route 192.168.1.1 ------------------------------------------------------------- Óë½»»»»úA fa0/2ÏàÁ¬µÄ·ÓÉÆ÷°çÑÝÖ÷»ú1µÄ½ÇÉ« host1(config)#no ip routing host1(config)#int e0 host1(config-if)#ip address dhcp ------------------------------------------------------------- Óë½»»»»úB fa0/3ÏàÁ¬µÄ·ÓÉÆ÷°çÑÝÖ÷»ú2µÄ½ÇÉ« host2(config)#no ip routing host2(config)#int f0/0 host2(config-if)#ip address dhcp ------------------------------------------------------------ SWA#show ip dhcp snoo bind MacAddress IpAddress Lease(sec) Type VLAN Interface ------------- -------------- ---------- ---------- ---- ---------------- 00:E0:1E:60:7C:86 192.168.1.2 83702 dhcp-snooping 10 FastEthernet0/2 Total number of bindings: 1 ------------------------------------------------------------------------- SWA#show ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 10 Enabled Active Vlan ACL Logging DHCP Logging ---- ----------- ------------ 10 Deny Deny Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 10 0 0 0 0 Vlan DHCP Permits ACL Permits Source MAC Failures ---- ------------ ----------- ------------------- 10 0 0 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 10 0 0 0 ------------------------------------------------------------------------ SWA#show ip arp inspection statistics vlan 10 Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 10 0 0 0 0 Vlan DHCP Permits ACL Permits Source MAC Failures ---- ------------ ----------- ------------------- 10 0 0 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 10 0 0 0 ------------------------------------------------------------------------- SWA#show ip arp inspection inter Interface Trust State Rate (pps) Burst Interval --------------- ----------- ---------- -------------- Fa0/1 Untrusted 15 1 Fa0/2 Untrusted 15 1 Fa0/3 Untrusted 15 1 Fa0/4 Untrusted 15 1 Fa0/5 Untrusted 15 1 Fa0/6 Untrusted 15 1 Fa0/7 Untrusted 15 1 Fa0/8 Untrusted 15 1 Fa0/9 Untrusted 15 1 Fa0/10 Untrusted 15 1 Fa0/11 Untrusted 15 1 Fa0/12 Untrusted 15 1 Fa0/13 Untrusted 15 1 Fa0/14 Untrusted 15 1 Fa0/15 Untrusted 15 1 Fa0/16 Untrusted 15 1 Fa0/17 Untrusted 15 1 Fa0/18 Untrusted 15 1 Fa0/19 Untrusted 15 1 Fa0/20 Untrusted 15 1 Fa0/21 Untrusted 15 1 Fa0/22 Untrusted 15 1 Fa0/23 Trusted None N/A Fa0/24 Untrusted 15 1 Gi0/1 Untrusted 15 1 Gi0/2 Untrusted 15 1 Po13 Untrusted 15 1 Po14 Untrusted 15 1 -------------------------------------------------------------- SWB#show ip arp inspection vlan 10 Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ---------- 10 Enabled Active Vlan ACL Logging DHCP Logging
---- ----------- ------------ 10 Deny Deny ------------------------------------------------------------------- SWA#show ip arp inspection statistics Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- --------- 10 13 45 45 0 Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- ------------------- 10 1 0 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- --------------------- 10 0 0 0 ----------------------------------------------------------------------- ¼ì²â¹¥»÷ ÎÒÃǽ«Ö÷»ú2Ä£ÄâΪ¹¥»÷Õߣ¬½«Ö÷»ú2µÄIPµØÖ·ÅäÖÃΪÖ÷»ú1µÄIPµØÖ· Rack11SW2#ping 192.168.1.2 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: 14:36:50: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/3, vlan 10.([0013.1a7f.8c21/192.168.1.2/0000.0000.0000/11.11.36.6/14:36:49 UTC Mon Mar 1 1993]). 14:36:51: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 10.([0013.1a7f.8c21/192.168.1.2/000d.bde6.a880/192.168.1.200/14:36:50 UTC Mon Mar 1 1993]). 14:36:55: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 10.([0013.1a7f.8c21/192.168.1.2/000d.bde6.a880/192.168.1.200/14:36:54 UTC Mon Mar 1 1993]). Success rate is 0 percent (0/5) ---------------------------------------------------------------------------- SWB#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.1.2 0 Incomplete ARPA ÅäÖ÷ÇDHCP»·¾³µÄ¶¯Ì¬ARP¼ì²â
1£© ½øÈëÈ«¾Öģʽ configure terminal 2£© ¶¨ÒåarpµÄ·ÃÎÊ¿ØÖÆÁбí arp access-list ·Ã¿ØÃû³Æ 3£© ¶¨ÒåÔÊÐíÁбíÄÚÈÝ permit ip host ·¢ËÍÕßIPµØÖ· mac host ·¢ËÍÕßMACµØÖ· 4£© ½«arp·Ã¿ØÓ¦Óõ½Ö¸¶¨µÄvlan ip arp inspection filter arp·Ã¿ØÃû³Æ vlan vlan·¶Î§ [static] static:ʹÓÃÕâ¸ö²ÎÊý£¬·Ã¿Ø½«Ê¹ÓÃÒþº¬µÄdenyÓï¾äÀ´¾Ü¾øarpÊý¾Ý°ü 5£© ÑéÖ¤½á¹û show arp access-list °¸Àý£º Èçͼ£¬°Ñ½»»»»úAÉÏÏàÁ¬µÄdhcp·þÎñÆ÷È¥³ý£¬½»»»»úBÒ²ÅäÖÃÁ˶¯Ì¬ARP¼ì²â¡£Èç¹ûÎÒÃǰѽ»»»»úAµÄ¶Ë¿Ú1ÅäÖÃΪÐÅÈζ˿ڣ¬ÒòΪÐÅÈζ˿ÚÊDz»»á¶ÔarpÊý¾Ý°ü×öÈκεļì²â£¬ÕâÑù½»»»»úB»òÕßÖ÷»ú2¶Ô½»»»»úAºÍÖ÷»ú1»áÔì³ÉarpµÄ¹¥»÷¡£ÕâÑù½»»»»úAµÄ¶Ë¿Ú1ÅäÖÃΪ·ÇÐÅÈζ˿ڣ¬µ«ÎªÁËÖ÷»ú2ºÍÖ÷»ú1Ö®¼äͨÐÅ£¬±ØÐëÔÚ½»»»»úAÉÏÓ¦ÓÃÒ»¸öarp·ÃÎÊ¿ØÖÆÁбíÔÊÐíÖ÷»ú2·ÃÎÊ¡£Èç¹ûÖ÷»ú2µÄIPµØÖ·²»ÊǾ²Ì¬µÄ£¬±ØÐ뽫½»»»»úAºÍ½»»»»úBÔÚµÚ3²ãÉÏ·Ö¸ô¿ª£¬Á½ÕßÖ®¼äÌí¼Ó·ÓÉÆ÷À´Â·ÓÉÁ½ÕßÖ®¼äµÄÊý¾Ý°ü¡£ SwA#config terminal SWA(config)#arp access-list cisco SWA(config-arp-nacl)#permit ip host 192.168.1.3 mac host 0013.1a7f.8c21 SWA(config-arp-nacl)#exit SWA(config)#int f0/23 SWA(config-if)#no ip arp inspection trust SWA(config-if)#end SWA(config)#ip arp inspection filter cisco vlan 10 -------------------------------------------------------------------------- SWA#show arp access-list ARP access list cisco permit ip host 192.168.1.3 mac host 0013.1a7f.8c21 ------------------------------------------------------------------------- SWA#show ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 10 Enabled Active cisco No Vlan ACL Logging DHCP Logging
---- ----------- ------------ 10 Deny Deny Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- --------- 10 21 45 45 0 Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- ------------------- 10 9 0 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- --------------------- Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 10 0 0 0 ÅäÖÃARPÊý¾Ý°üµÄÁ÷Á¿ÏÞÖÆ
µ±½øÈëµÄARPÊý¾Ý°ü³¬¹ýÁËÅäÖõÄÁ÷Á¿ÏÞ¶¨£¬½»»»»ú»á½«Õâ¸ö¶Ë¿Ú½øÈëµ½err-disable״̬¡£Õâ¸ö¶Ë¿ÚÒ»Ö±±£³ÖÕâÖÖ״̬µ½err-disable»Ö¸´Ê±¼äµ½ÆÚ 1£© ½øÈëÈ«¾Öģʽ configure terminal 2£© ½øÈë½Ó¿Úģʽ interface ½Ó¿Ú 3£© ÅäÖÃARPÊý¾Ý°üµÄÁ÷Á¿ÏÞÖÆ ip arp inspection limit rate ÿÃë°üÊý [burst interval ÃëÊý] PPS£ºÃ¿Ãë¶àÉÙÊý¾Ý°ü£¬È¡ÖµÎª0-2048£¬·ÇÐÅÈζ˿ÚÉÏĬÈÏΪÿÃë15Êý¾Ý°ü£¬ÐÅÈζ˿ÚÉÏûÓÐÁ÷Á¿ÏÞÖÆ Burst interval:Í»·¢Ê±¼ä¼ä¸ô£¬È¡ÖµÎª1-15 4£© ÅäÖÃʹÄܶ˿Úerr-disable״̬µÄ»Ö¸´ errdisable recovery cause arp-inspection interval ÃëÊý ĬÈÏÇé¿öÏ£¬err-disable»Ö¸´Êǹرյģ¬»Ö¸´Ê±¼äΪ300Ã룬ȡֵΪ30-86400 5£© ÑéÖ¤½á¹û show ip arp inspection interface SWA# show ip arp inspection interface f0/23
Interface Trust State Rate (pps) Burst Interval --------------- ----------- ---------- -------------- Fa0/23 Untrusted 200 5 ºÏ·¨ÐԵļì²é
ÍøÂç¹ÜÀíÔ±Äܹ»¸ù¾ÝIP¶ÔÓ¦MACµØÖ·µÄ°ó¶¨µÄºÏ·¨ÐÔÀ´À¹½Ø¡¢¼Ç¼ºÍ¶ªÆú¾ßÓÐÎÞЧMACµØÖ·/IPµØÖ·°ó¶¨µÄARPÊý¾Ý°ü¡£½»»»»úÄܹ»ÅäÖÃÒÔÄ¿±êµÄMACµØÖ·¡¢IPµØÖ·ºÍÔ´MACµØÖ·À´×÷ΪºËʵµÄÒÀ¾Ý¡£ 1£© ½øÈëÈ«¾Öģʽ configure terminal 2£© ÅäÖúϷ¨ÐԵļì²éÒÀ¾Ý ip arp inspection validate [src-mac|dst-mac|ip] 3£© ÑéÖ¤½á¹û SWA#show ip arp inspection statistics vlan 10 Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 10 0 0 0 0 Vlan DHCP Permits ACL Permits Source MAC Failures ---- ------------ ----------- ------------------- 10 0 0 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 10 0 0 0 ÅäÖÃÈÕÖ¾µÄ»º³å
1£© ½øÈëÈ«¾Öģʽ configure terminal 2£© ÅäÖÃÈÕÖ¾»º³å ip arp inspection log-buffer entrie ÌõÊý | logs ÊýÄ¿ interval ÃëÊý entrie ÊýÄ¿£ºÖ¸¶¨ÈÕÖ¾»º³åµÄÌõÄ¿¸öÊý£¬È¡ÖµÎª0-1024 logs ÊýÄ¿ interval ÃëÊý£ºÔÚÖ¸¶¨µÄʱ¼ä¼ä¸ôÄÚ£¬²úÉúϵͳÐÅÏ¢µÄÌõÄ¿ÊýÄ¿ 3£© Ö¸¶¨¼Ç¼ÈÕÖ¾µÄÀàÐÍ£¬Ä¬ÈÏÇé¿öÏ£¬ËùÓоܾøºÍ¶ªÆúµÄÐÐΪ¶¼»á±»¼Ç¼¡£ ip arp inspection vlan vlanÖµ logging acl-match [matchlog] | dhcp-bindings [all|none|permit] acl-match:¼Ç¼·ûºÏarp ·Ã¿ØÁбíÌõÄ¿permit»òdenyµÄÄÚÈÝ dhcp-bindings:¼Ç¼ƥÅädhcp°ó¶¨±íµÄÄÚÈÝ 4£© ÑéÖ¤½á¹û show ip arp inspection log °¸Àý£º SWA(config)#ip arp inspection log-buffer entrie 15 SWA(config)#ip arp inspection log-buffer logs 100 interval 60000 SWA#show ip arp inspection log
Total Log Buffer Size : 15 Syslog rate : 100 entries per 60000 seconds. Interface Vlan Sender MAC Sender IP Num Pkts Reason Time
---------- ---- -------------- ---------- ------- ----------- ---- Fa0/3 10 0013.1a7f.8c21 192.168.1.3 1 DHCP Deny 15:59:31 UTC Mon Mar 1 1993 ±¾Îijö×Ô ¡°ÎÞÁÄÉú»î£¬»ý¼«Ãæ¶Ô¡± ²©¿Í£¬×ªÔØÇëÓë×÷ÕßÁªÏµ£¡ ±¾Îijö×Ô 51CTO.COM¼¼Êõ²©¿Í |
hello_me
²©¿Íͳ¼ÆÐÅÏ¢
ÈÈÃÅÎÄÕÂ
×îÐÂÆÀÂÛ
ÓÑÇéÁ´½Ó
